AWS: Dynamic Address Group (DAG) is not populated with IP’s
10189
Created On 03/18/20 03:16 AM - Last Modified 04/06/20 17:40 PM
Symptom
VM Information source is configured on PA-VM to learn tags from AWS environment. These tags are configured under Dynamic Address Group (DAG) to learn the associated IP and are used in Security Policy. Traffic destined to DAG does not match the desired security policy as the dynamic address group does not have any IP’s registered.
- Set logging level on useridd process on PA-VM to “debug” by using below CLI:
debug user-id on debug
- Execute command “tail follow yes mp-log useridd.log” to view live logs
tail follow yes mp-log useridd.log
2020-01-28 10:34:42.413 -0800 Error: pan_tag_filter_tag_sanity_check(pan_tag_table.c:432): tag name (aws-tag.tagspecial.hardik * ^%$#@! ? / { } |) contains invalid char
2020-01-28 10:34:42.413 -0800 Error: pan_regip_obj_add_tag(pan_reg_ip.c:1012): tag name (aws-tag.tagspecial.hardik * ^%$#@! ? / { } |) is not valid
2020-01-28 10:34:42.413 -0800 Warning: pan_regip_reg(pan_reg_ip.c:1511): tag aws-tag.tagspecial.hardik * ^%$#@! ? / { } | for ip 20.20.11.4 is not valid, ignore
2020-01-28 10:34:42.413 -0800 Error: pan_regip_obj_add_tag(pan_reg_ip.c:1012): tag name (aws-tag.tagspecial.hardik * ^%$#@! ? / { } |) is not valid
2020-01-28 10:34:42.413 -0800 Warning: pan_regip_reg(pan_reg_ip.c:1511): tag aws-tag.tagspecial.hardik * ^%$#@! ? / { } | for ip 20.20.11.4 is not valid, ignore
- Above log snippet indicates that tag name “tagspecial” has special character in it, and firewall is ignoring it.
Environment
- Platform: PA-VM-300
- PAN-OS Version: 8.1.7
- Plugin Version: NA
Cause
- Special characters ( ) * ^%$#@! ? / { } | are not supported in tag.
Resolution
- Remove special characters ( ) * ^%$#@! ? / { } | from AWS tag name assigned to EC2 instances